The total number of software vulnerabilities has grown dramatically since 2002. Furthermore, the average time to close or patch a vulnerability may reach 67 days, which leads to a high threat for organizations and may even threaten human life. That is why elaborated security mechanisms must be properly implemented prior to deployment in order to provide an effective level of protection against threats. In the embedded software domain, security vulnerabilities can cause losses for end-users as well as a drastic increase in costs for both production and maintenance.
VeriDevOps aims at bringing together fast and cost-effective security verification through formal modelling and verification, as well as test generation, selection, execution and analysis capabilities to enable companies to deliver quality systems with confidence in a fast-paced DevOps environment. In addition, the formalization of requirements is still a very human-intensive activity; much information is informally exchanged among the engineers and due to this, most verification activities cannot be automated and need human intervention. We argue that this formalization of security requirements and the creation of environment and system models could increase the product quality, and make the development and operation more efficient and less costly. Thus, the key challenge of the project is to automatically express and manage security requirements in an effective and unambiguous way, such that both engineers and stakeholders have a common understanding of their content.
In order to save time and lower the effort for adjusting the prevention and protection mechanisms,VeriDevOps automates the specification and analysis of requirements with security relevance, testing of system realizations, and the integration of these techniques and tools with current VeriDevops practices in industry: Analysis and formalization of a textual description of security requirements from several sources, automated configuration of trace monitors, automated test generation for attacks based on the formal specification of security requirements, automated design and code checks and methods for threat detection and analysis.